Governments' Favorite Cyberweapons Don't Look Anything Like Stuxnet

Brian Fung

The term “cyberwarfare” conjures images of hackers developing nasty scripts and viruses to be used by state militaries as an instrument of foreign policy. Stuxnet, the malware that disabled thousands of Iranian nuclear centrifuges, was all but confirmed as the product of U.S. and Israeli information warriors. But these kinds of sophisticated weapons are hard to cover up, harder to build and still harder to keep from getting out of control. Sexy as they are, tools like Stuxnet only make sense some of the time.

The rest of the time, according to an annual study of data breaches released today, state-affiliated attacks draw inspiration from a more common, though no less effective, source: the criminal world. The weapon of choice for most governments? Phishing, or the sending of fake emails that try to get targets to click malware-laden links or attachments.

Ninety-five percent of all data breaches that can be connected to a government IP address involve phishing attacks, per the study, which was conducted by Verizon’s RISK team. The yearly report looks at tens of thousands of reported attacks and examines the subsequent investigations by law enforcement and private cybersecurity firms.

How do we know that governments are deploying phishing attacks? A lot of it is based on educated guesswork, Ostertag admitted. Still, the RISK team doesn't make a determination on the culprit unless the circumstantial evidence is fairly strong.

“When we’re able to make a conclusion as to attribution,” he said, “it’s more through the use of MD5 hashing, and looking for a hard-coded IP address inside a piece of malware that’s affiliated with a known IP.” Known IP addresses often come in via government authorities who’ve been monitoring the addresses themselves. In all, Verizon’s partnered with 18 agencies around the world to gather its data, from the U.S. Secret Service to the Australian Federal Police.

Since the project began nearly a decade ago, Verizon’s data breach investigations report has tallied 2,500 confirmed penetrations that resulted in a loss of data. Over a billion personal records have been compromised. Not all of those were the result of government actions. But state-affiliated hacking attempts last year accounted for almost a fifth of all data breaches. Good thing some companies have started phishing their own employees to practice their defense.